Friday, January 18, 2008

Skype videomood Cross Site Scripting

Update:
Reader chaimhaas pointed me to a post by Villu Arak about this issue. "The issue, demonstrated by security researchers as a proof of concept, was neutralized before actual attackers took advantage of it, therefore Skype users are unlikely to have been affected. Skype has temporarily disabled users’ ability to add videos from the Dailymotion gallery until an official fix has been made available. In turn, Dailymotion is addressing the vulnerability on their web site.For a more detailed description of the issue, please see the most recent Skype Security Bulletin.

Skype videomood Cross Site Scripting (XSS), Miroslav Lučinskij, Critical Security, Lithuania, Vilnius is reporting about Skype videomood XSS at insecure.org.
"The team were able to find some permanent XSS vectors in dailymotion.com: videos have a 'Title' field, which is not properly filtered and returned to user in certain conditions. So it becomes possible to execute malicious script content when user is searching for a video to add to his mood. You may also test it by entering word 'saugumas' in dailymotion.com video search field. "
Larger Screenshots are available here: http://www.critical.lt/?opinions/show/1470

tag: , , ,

Posted by ravenII at 1/18/2008 09:31:00 AM  

Labels: ,


AddThis Social Bookmark Button

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Blog Widget by LinkWithin